Twig is a template language for PHP. When using the ?? operator, output escaping was missing for the expression on the left side of the operator. This vulnerability is fixed in 3.19.0.
{ "ubuntu_priority": "low", "priority_reason": "It's exploited only if an user creates a vulnerable template" }